Posted by Azure Information Protection is a great tool for labelling and protecting sensitive content. In my previous blogs I showed you the end-user (functional) side of AIP as-well-as the administration side. And I want to focus on that side as-well in this blog. In this blog I will explain some of the PowerShell cmdlets you can use.
PowerShell is an administrators dream. It’s easy to use and very powerful. The AIP client is also provided with a couple of cmdlets which can make your (information protection) live a bit easier. You can use PowerShell to get a report on the label and protection status of your content. And you can also use this to classify and protect your content in bulk.
Can I use PowerShell cmdlets?
First things first. The cmdlets are provided to you with the AIP client. To use the most current version of the PowerShell cmdlets, you will need the minimum AIP client version of 1.7.210.0. And you can use PowerShell to check this as well. Open PowerShell and use this cmdlet:
(get-module azureinformationprotection -listavailable).version
If correct, PowerShell will display the current installed version. In this example, the 1.9.210 preview client.
Available cmdlets
The AIP client comes equipped with a lot of build-in cmdlets. This list is from the Microsoft website:
In this blog I will focus on two: Get-AIPFileStatus and Set-AIPFileLabel. And for this, I have a couple of documents stored locally on my workstation. Only one of these documents has been labelled and protected and that’s the “Azure Information Protection …..” one.
Let’s say I want to know if the “Burgerservicenummer.docx” file is either labelled and/or protected. To this end, I use the cmdlet Get-AIPFileStatus. This cmdlet will return all AIP information: label, RMS policy, and more. I will need to enter the filename, and this gets me:
As you can see, this cmdlet provides me with all AIP information I need.
Should the file be labelled and protected, I expect to see this.
Let’s see this in action.
These videos show you how to get the AIP information of an unlabelled and unprotected file (video 1) and a labelled file (video 2).
Multiple files
Getting the information from a single file might not be the function you are looking for. In most cases you probably need information on a collection of files. For instance, in a specific folder or a specific label. Basically, you just enter the folder you need when using the Get-AIPFileStatus cmdlet.
As a large list of files isn’t very handy, you can export this list to a comma separated file or CSV. You use this cmdlet for this:
Get-AIPFileStatus -path D:\Users\hoitinal\Documents\AIP | Export-Csv -Path C:\temp\demo2.txt
All details of the file will now be stored in a text-file, which you can open with Excel (for example).
It is also possible to add another condition to the cmdlet. For example, you want to have all information on files which have been labelled “Internal”. You use this cmdlet, which also exports the results to a test-file.
Get-AIPFileStatus -Path \\Finance\Projects\ | Where-Object {$_.MainLabelName -eq ‘Internal’} | Export-Csv C:\Reports\AIP-status.csv
These videos show you how to get the AIP information of multiple files in general (video 1) and based on the label-name (video 2).
Setting labels and/or protection
Getting information on the AIP status of files is pretty easy. But you can even use the cmdlets to automatically label and/or protect files. For example, you want to label a document with the label “Internal”. The cmdlet to use is Set-AIPFileLabel. This cmdlet requires the label-id and not the label name. So, look-up this label-id in the Azure Information Protection portal.
This is the cmdlet you use.
Set-AIPFileLabel -path D:\users\hoitinal\documents\AIP\Burgerservicenummer.docx -LabelId ba8a21f7-34b3-4230-a824-49f9a691cb35
This video shows you how to set the AIP label for a file.
Using automatic classification
You can even use PowerShell to scan the content of your files and apply the required label and protection required. This is a very powerful option. It uses the Set-AIPFileClassification cmdlet. When used, the cmdlet will scan every file in the path and apply the relevent policy based on the AIP rules.
More information
There a lot of possibilities of these cmdlets. I haven’t showed you all of them. On this Microsoft webpage you will get all the cmdlets explained. I hope this blog provided some more information.
There are many more cmdlets, mostly for administrative purposes. One thing to keep in mind when using PowerShell (and this is from Microsoft):
Note that if you didn’t run the Set-RMSServerAuthentication command, you will be authenticated to the Azure Rights Management service by using your own user account. If you are on a domain-joined computer, your current credentials will always be used automatically. If you are on a workgroup computer, you will be prompted to sign in to Azure and these credentials are then cached for subsequent commands.
Information security and compliance 
How to get the AIP Label-ID ??
Hi there,
To get the AIP label-id, go to the Azure Information Protection portal (https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection) and select the label. At the bottom of the detail-screen, you’ll see the label-id. Or you can use PowerShell to get there.
Hi there,
I more concerned about the existing files in a document library. Can I use Set-AIPFileLabel in powershell to update sensitivity label?
Example : Set-AIPFileLabel -Path https://costco.sharepoint.com/sites/abc/Document%20Library/testsentity1.docx -LabelId “8f7c3de7-3464-49cd-82e6-ca3e43a814fd”.
Hi John,
I don’t think this is going to work. This cmdlet is used for content stored either on the device, netwerk-share or on-premises SharePoint. I haven’t been able to use this on SharePoint Online. You should be able to use the new data-classification at rest, but this does need some arguments for determining the right label. You cannot just label everything with a “default” label. Probably Microsoft’s working on this, but I don’t have any information on that yet. If I find a way to work around this, I will let you (and the rest) know…..
Is there a way to apply the AIP/Sensitivity labels to the files stored in Sharepoint Online directly without downloading the file. Its not feasible to download every file, apply labela nd then upload the file again
Hi there,
For this specific scenario, Microsoft released the auto-classification for data @rest functionality. This functionality allows you to scan and classify documents which are stored in either SharePoint Online or OneDrive for Business. https://alberthoitingh.com/2020/03/27/auto-labeling-data-at-rest-pt-1/
Please note that you cannot use PowerShell or the AIP Scanner to scan online repositories.
Auto-labeling does allow this, but does require an additional license.
Hope this helps.
Kind regards,
Albert
Thanks alot Mate for quick reply and this wonderful post..Appreciate the efforts!! Forgot to mention it earlier.
We have a specific requirement – documents in our Sharepoint online have metadata column which have few values associated to it. So depending upon that value, we have to apply specific sensitivity label. We have E5 so licensing is not of concern.
So I don’t know whether Auto labelling is capable of doing it or not (so far i have not able to figure it out), if it does support our scenario then we can use it but this is just a onetime activity that we want to do.
So if there is no way then we dont have any option except to download the docs, apply the label and then upload the docs as new version..let me know your thoughts on this approach ..Thanks again
Hi there Sumit,
Interesting scenario. This would have worked if we were talking about retention labels. These allow you to use content types and metadata (including those in the search index for SharePoint Online) to auto-classify the content. Unfortunately, sensitivity labels work differently and look at the content inside of documents themselves.
So you can only use sensitive information types or trainable classifiers for this. But….. both won’t be able to work with the metadata columns. Sensitive information types only work with regex, keywords (and dictionaries). And again: these will be used to look at the content inside of a document.
So I’m afraid this is not possible, at this time. You can use the Unified Labeling client with the OneDrive sync client. This way, you can just select the folder, right click, select the label and press Apply. This will result in a download/upload of documents. The modified data might change because of this, but I’m not sure about the “Modified by”. I just tested this and the “Modified by” did not change.
By the way – some time ago there was some form of work-around (https://joannecklein.com/2017/11/14/aip-labels-via-sharepoint-metadata/). But this is no longer the case. You cannot modify the sensitivity label from SharePoint Online itself I’m afraid.
Sorry about this….
I completely understand Albert and Appreciate ur quick response and for this smart solution..i will let u know if we go via this path..
Thank alot Mate for taking time from ur busy routine and help !! Cheers.
I completely understand Albert and Appreciate ur quick response and for this smart solution..i will let u know if we go via this path..
Thank alot Mate for taking time from ur busy routine and help !! Cheers.
Be warned!!!
If you attempt to automate this you may experience random crashes using PowerShell
Hi Albert,
Thank you for this information. I have thousands of files on-prem that I need to be able to use “PowerShell to scan the content of my files and apply the required label and protection required”. How do I go about doing so. Is there a script I can run to accomplish this? Thanks in advance!
Hi John,
Sorry for the late reply – I was away on holiday.
But if you need to scan files on-prem at scale, then you should you the Azure Information Protection scanner. This will provide the required functionality and does not require PowerShell.
Hi Albert, Current version for my AIPService Module is 3.0.0.1. For some reason Get-AIPFile status is not showing up and itellisense and I get an error “The term ‘Get-AIPFilestatus’ is not recognized as the name of a cmdlet, function, script file, or operable program. ”
I have done lot of research and cant seem to find solution to this
Any help will be appreciated.
Regards,
Hari
Hello Hari,
Did you install the AIP Unified Labeling client? This cmdlet should be part of that client. You can read this here: https://learn.microsoft.com/en-us/powershell/module/azureinformationprotection/?view=azureipps
Hi @albert,
i am working on use case where the files(pdf, word, excel and ppt ) are downloaded from sharepoint to local.
the public files data are easily readable once downloaded from python script but when i try to read confidential files i get error and cant read them for extraction of data.
is there a way that once i download the confidential files as well i can change the label to public to extract data from those files.
can you suggest what method should i try to achieve my use case as i am not so much familiar with windows and also the use case should work on linux as well but for now windows will also work.
your response will be appreciated.
Hi Shivam,
Interesting case 🙂 You might want to look at this PowerShell cmdlet. It basically removes the label and encryption when the document is downloaded from SharePoint Online: https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/unlock-sposensitivitylabelencryptedfile?view=sharepoint-ps Tony Redmond published an article on this, using this cmdlet; https://office365itpros.com/2021/03/25/decrypt-protected-sharepoint-files/ But as this article states, there is no option to remove the encryption using the Graph.
Hi @albert ,
I was able to get and set labels using SetAPILabel on windows(given link was very helpful and straightforward – https://gist.github.com/brunomsantiago/c79d17bf74c4c78c51debf7f7e0bafb5).
When i try to execute the powershell on ubuntu SetApiLabel cmdlet is not supported on ubuntu after my research as get-command in pwershell does not display the cmdlet.
Also same goes with Unlock-SPOSensitivityLabelEncryptedFile you mentioned it is also not available not on ubuntu.
I need to perform it on Ubuntu only . Then I have MIP SDK but its too complex for me as C++ or C# is not my forte. But if you have any direct solution for ubuntu after going through above link please share.
Thanks
Hi there Shivam,
According to the documentation, these PowerShell modules are only supported on the Windows platform. Also, the Set-AIPLabel cmdlet has now been replaced with the Set-FileLabel in the new 3.x client. I don’t have a direct solution for this, but I will look into this and try to contact someone at Microsoft.
Hello. Do you have a script to recover all the AIP Labels and their IDs from a tenant?
That is a bit tricky. The AIP backend is no longer accessible, even with the older PowerShell modules. Do you mean the labels that are now part of Purview or the “classic” AIP labels?
Hello Albert
I just got help from Microsoft!
The PowerShell command
Connect-IPPSSession
Get-Label | FT Name, GUID
gives me a list of all the tenant IP label with der GUID.
Now I can use these GUID to apply them to files or SPO libraries.
Thanks for your support!
Best Regards
Chris
Yep. That works 😀 I thought you meant the classic AIP labels 😂